[pf4freebsd] Re: Problem with pf and ng0 interface.
Max Laier
max at love2party.net
Wed Sep 15 20:58:04 PDT 2004
On Wednesday 10 December 2003 19:46, DrumFire wrote:
> pass in quick on { rl0,rl2,ng0 } proto tcp from $myIP to any keep state
>
> If i try to load pf.conf with this rule, when mpd is not active, pf
> give me a syntax error:
>
> /usr/local/etc/pf.conf:14: unknow interface ng0
>
> How can I load pf.conf also without have mpd program loaded?
>
> Because I don't want load mpd at boot each time.
I am afraid, it is (currently) not possible to load rules for nonexistent
interfaces.
> With ipfw2 if I add a rule with an interface that doesnt' exits, rule is
> loaded however and when interface became active, then the rule is
> processed.
Note that there is a very basic difference between pf and ipfw in this point:
pf optimizes the ruleset upon load. For this purpose it needs to know some
information about the interface(s). ipfw evaluates thru the complete ruleset
every time (w/o manual optimization) hence it doesn't need to know much when
it loads the ruleset.
> How can I solve this problem with pf?
Create ng0 before loading the ruleset or load your ruleset depending on ng0
(e.g. if ifconfig -a | grep ng0; then pfctl -ef pf1; else pfctl -ef pf2; fi)
Note, that above rule doesn't seem to make much sense as long as $myIP is what
it claims to be (a local ip-address). Traffic "from $myIP" will always come
via lo0 not via the network interface it is attached to.
--
Best regards, | max at love2party.net
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet #DragonFlyBSD
More information about the freebsd-pf
mailing list